Archive for December 2011

Another year has passed us by. In 2011, Riskviews blog saw a dramatic upsurge in readership. That surge was coincident with changes to the Google search routines. Hits jumped from about 2000 per month in 2010 to a steady 3000 per month in 2011.

The Risk Management quotes were still by far the favorite feature of the blog, with about 800 hits per month. That has been steady for over 3 years now. What changed was the hits to the other content. The home page saw over 6000 hits in 2011, or about 500 per month. Some posts from prior years continue to be very popular.

“Every person takes the limits of their own field of vision for the limits of the world.” Arthur Schopenhauer

Life is a series of failures punctuated by brief successes. James Altucher

Managing risk is not just about assessing and monitoring all the things that could go wrong. Rather it is about understanding all the things that need to go right for an organization to achieve its mission and objectives. UN Joint Staff Pension Fund ERM Policy Statement

Across the grand sweep of history, the relationship between risk and return has been loose and variable.
Warren Hatch

“Call on God, but row away from the rocks.” Hunter S Thompson

“It don’t matter how hard you hit if you cannot take a punch” from the song Lend a Hand by Jakob Dylan

Don’t forget that people sometimes make very silly mistakes, especially when dealing with derivatives. Kevin Dowd

Frankly, I’m suspicious of anyone who has a strong opinion on a complicated issue. Scott Adams

People are disposed to get angry and punish those who violate the models that they themselves are using, but the targets of such sanctions often do not acknowledge that that particular model applies, or that their acts were transgressions, so they perceive the intended sanctions as illegitimate aggression. Alan Fiske

Like this:

When there is financial failure, it comes as a result of illiquidity. Now, truly, these parties are insolvent, because they took the risk of not being able to pay cash when it was due. Illiquidity and insolvency are really the same thing, though many obfuscate.

If you can’t pay cash, it doesn’t matter what your assets are worth in “normal” times. Banks should have planned in advance to make sure liquidity was always adequate, rather than doing the usual borrow short, lend long, that they usually do.

But after reading through the Fed ‘s proposal on bank solvency, I conclude that they may not get the picture. They spend time on liquidity and other issues. With liquidity, it is uncertain how they will view repo markets. To me, those should be view as short-term finance of long dated assets.

During times of crisis, repo markets seize up, with rising repo haircuts. Maybe I’ve read the Fed’s proposal wrong, but it seems that it neglects repo funding, which had a large effect on the recent crisis.

If banks had to be able to size their activity to survive a rise in repo haircuts equal to half of the highest that we have seen, it would probably be enough to make the issue go away, because the haircuts would be less likely to rise as a result of that restraint.

Now, I appreciate the perspective of this article from Dealbreaker on the topic. All of the assets of the bank support all of the liabilities. In one sense, there are no assets that are tagged “equity” and others tagged “liability.”

P&C Insurance works a little different. In that, premium reserves are invested in high quality short-term debt. Claim reserves are invested in high quality debt similar to the period that claims are expected to be paid out over. The remainder (the equity) can be invested in risk assets in order to earn a decent return for shareholders. The idea is this: match liabilities with high quality assets of the same length, and take risk with the remainder of assets, realizing that they might might needed for liquidity in the worst case scenarios.

But really, banks should not be viewed differently. They should invest like P&C or life insurers. Invest in high quality assets equal to the terms of their liabilities — deposits (estimate stickiness), savings accounts (same), CDs (the term is known). After that, take risks with the remaining assets in ways that reflect their comparative advantage, realizing that they might might needed for liquidity in the worst case scenarios. Illiquid investments (e.g. private equity) should not be allowed for a majority of of those investments.

If banks don’t engage in asset/liability mismatches aka maturity transformation, most of the risks of bank runs will go away. And that is what I propose. Note that if that happens, average people will have to pay some fee each year to have a checking account. Banks would be liquidity utilities.

This fits under my rubric that the insurance industry is much better regulated than the banking industry. Were it in my power to do so, I would turn banking regulation over to the states, and leave to the Fed control of monetary policy only. You would soon see intolerant banking regulation, much like we see in insurance, and defaults would decline.

If 200 insurance companies are meeting Solvency II capital requirements should we expect that one of them will fail each year?

Do we really have any idea of the answer to that question?

Or can we admit that calculating a 1/200 capital requirement is not really the same as knowing how much capital it takes to prevent failures at that rate?

Calculating a 1/200 capital requirement is about creating capital requirements that are related to the level of risk of the insurer. Calculating a 1/200 capital requirement is about trying to make the relationship of the capital level to the risk level consistent for different insurers with all different types of risk. Calculating a 1/200 capital requirement is about having a regulatory requirement that is reasonably close to the actual level of capital held by insurers presently.

It actually cannot be about knowing the actual likelihood of very large losses. Because it is unlikely that we will ever actually know with any degree of certainty what the actual size of the 1/200 losses might be.

We agree on methods for extrapolating losses from observed frequency levels. So perhaps, we might know what a 1/20 loss might be and we use “scientific” methods to extrapolate to a 1/200 value. These scientific assumptions are about the relationship between the 1/20 loss that we might know with some confidence and the 1/200 loss. Instead of just making an assumption about the relationship between the 1/20 and the 1/200 loss, we make an intermediate assumption and let that assumption drive the ultimate answer. That intermediate assumption is usually an assumption of the statistical relationship between frequency and severity. By making that complicated assumption and letting it drive the ultimate values, we are able to obscure our lack of real knowledge about the likelihood of extreme values. By making complicated assumptions about something that we do not know, we make sure that we can keep the discussion out of the hands of folks who might not fully understand the mathematics.

For the simplest such assumption, i.e. that of a Gaussian or Normal Distribution, the relationships are something like this:

For a risk with a coefficient of variance of 100% (i.e. the mean = standard deviation), the 1/200 loss is approximately 250% of the 1/20 loss

For a risk with a coefficient of variance of 150% (1.e. the mean = 2/3 the standard deviation) the 1/200 loss is approximately 200% of the 1/20 loss

For a risk with a coefficient of variance of 200% (i.e. the mean = 1/2 the standard deviation) the 1/200 loss is approximately 180% of the 1/20 loss

For a risk with a coefficient of variance of 70%, the 1/200 loss is 530% of the 1/20 loss

The graph above is the standard deviation/mean looking backwards at the S&P 500 annual returns for each of the previous 21 twenty-year periods. So based upon that data, we see that the 1/200 loss might be somewhere between 530% and 180% of the worst result in the 20 year period.

And in this case, we base this upon the assumption that the returns are normally distributed. We simply varied the parameters as we made observations.

What this suggests is that the distribution is not at all stable based upon 20 observations. So using this approach to extrapolating losses at more remote frequency looks like it will have some severe issues with parameter risk.

You can look at every single sub model and find that there is huge parameter risk.

So the conclusion should be that the 1/200 standard is a convention, rather than a claim that such a calculation might be reliable.

Risk management is a fantastic career opportunity as it gives people a very broad and deep perspective on the business through strategic and operational involvement, dealing with people at all levels in an organisation.

Reed Elsevier chief risk officer Arnout van der veer

Risk management now is a career option – it wasn’t when I first started down this route. Certainly the world today is a riskier place and there is a demand for professional, competent people. You need to be qualified in a relevant discipline (business studies, economics, and so on – financial and economic literacy is key) and consider one of the excellent MBAs now available.

DLA Piper chief risk officer Julia Graham

My philosophy over the years has been to take new opportunities as they arise. The job is what you make it, using your skills and competencies.

Morgan Crucible director of risk assurance Paul Taylor

To be an enterprise risk manager, you need to get a solid grounding in business and management at different levels. It’s not an entry-level job.

There are uncertainties in everything we do, and hence a career in risk management provides the opportunity to explicitly do what everyone intellectually knows must be done. Further, the concept of uncertainty provides an intriguing angle from which a company can be addressed.

LEGO senior director, strategic risk management Hans Laessøe

You have to care – about jobs, the health of the employees, the health of the factories and the health of the business.

Ferma president and director of risk management for Pirelli Worldwide Jorge luzzi

If you are able to communicate to your colleagues the concept that a risk manager can help the company’s business, protecting profit margins and business continuity, and they understand this, risk management is a really enjoyable job.

Prysmian group risk manager Alessandro de Felice

My motivation is to create value to my organisation by ensuring that we can deliver what we promise to our customers and shareholders through a well-functioning risk management process.

Assa Abloy group risk and insurance manager Fredrik Finnman

Risk managers should built professional skills over the following pillars: knowledge of risk measurement techniques; knowledge of the company’s processes; skills in spreading the risk culture inside the company; knowledge of the insurance business and risk underwriting: skills in leading internal working groups and designing procedures and control processes.

Telecom Italia corporate risk manager Paolo Rubini

Risk management is about managing risks inherent to the business, so it is critical to understand your business. Moving the company towards a different way of thinking about risk is all about change management and leadership. It’s important to share thoughts and experiences with other colleagues in the field. Attending professional and international events, such as the Ferma Forum, specific seminars and courses to meet other practising risk professionals is a good way to do this.

This story reveals several things about the nature of risk and the CRO job.

First, the nature of risk. Risk is always about the future. There will always be disagreements about the level of risk. True disagreements. People believing completely different things. And it is the future we are talking about. No one KNOWS for certain about the future. And also, risk is potential for loss. In many cases, even after the fact, no one can know how much risk that there was. A severe adverse event that had a likelihood of 10% might not happen in the coming year. Another equally severe event with a 0.1% likelihood migh happen. Exposure to the 10% event was certainly riskier than an equal sized exposure to the 0.1% event. Even if the less risky exposure produced a loss while the more risky exposure did not.

So the fact that the MF Global position produced a large, firm ending loss does not prove that the CRO was right.

In fact, what other stories reveal is that the board thought that the positions were more risky than Corzine. And that is pretty typical of what you will see at financial services firms. The top executives generally have the opinion that the environment is somewhat less risky than the board sees it while the non-executive employees generally see much, much more risk that either the executives or the board.

This tends to create exactly the dynamic that played out at MF Global where the CEO ignored the CRO warnings and the board very slightly restricted the CEO.

About the CRO

Many people forget that the Chief Risk Officer is usually not independent of the CEO. If there is a company where the CEO does not think that they are totally responsible for risk, then the CRO will not have enough power or influence with the board to remedy that problem. And if a CEO is aware that they are responsible for company results, good or bad, then clearly the job of the CRO, for better or for worse, is to execute the risk strategy of the CEO. NOT to critique that policy to the board.

RISKVIEWS tends to think of the risk appetite as the expression of the objective of the risk management system. The CRO should not be setting their own objective. So at MF Global, if the risk appetite was expressed as some sort of broad statement about corporate security, then the conflict became what is described above – a disagreement about the calibration of the risk model.

But the story says that the board approved some of the positions and disapproved a proposal to increase those positions even more that was made by the CEO. That makes it sound like there was a risk appetite and that the board, even if they did not say it in advance, knew when it was exceeded.

So the CROs job is not to stand in judgment of both the CEO and the Board. The CROs job is to work within the risk appetite of the board.

Like this:

Some Enterprise Risk management programs feature lists of 75 or more risks that the ERM program attends to.

This approach to ERM drastically reduces the potential power of ERM to help to focus attention to Enterprise Risks.

An Enterprise Risk is a class of events that could severely damage the capability of the enterprise to achieve its mission. No serious undertaking has 75 classes of events that could stop them in their tracks.

A serious undertaking might have 5 such risks. Usually less. Things that in spite of the best efforts of management could stop them in their tracks. There are probably another 5 or so risks that are potentially that serious, but that the firm has, for the most part, under control.

What Enterprise Risk Management is about is a constant effort to pay attention to those 10 or so top risks. To make sure that a new potential trouble is not creeping into that top 10. To make sure that they are not accidentally taking on much more of those risks. To find ways to mitigate that first group of top risks. To make sure that the controls on that second group of top risks are still sufficient. And to make sure that there are not any secondary risks outside of this list that are very highly correlated with the Enterprise Risks.

Dave Sandberg likes to classify risks into three classes:

Risks that threaten the earnings of the firm

Risks that threaten the capital of the firm

Risks that threaten the promises of the firm

A well managed firm will attend to all three types of risks, but the Enterprise Risks are the risks that threaten capital and promises that should be the concern of the Enterprise Risk Management program of the firm. They should be the concern of the top executives of the firm. Those risks should be the concern of the directors of the firm.